Ransomware attacks can cripple organizations and can prompt clients to take their business elsewhere. They’re also expensive cyber security events, as average remediation costs exceed $1.5 million. Organizations can accelerate ransomware preparedness by engaging in ransomware tabletop exercises, which enable cyber security personnel to evaluate incident response plans and mitigation techniques.

Why tabletop exercises?

Tabletop exercises permit the simulation of real-world situations, forcing participants to think critically and to customize response strategies within a friendly and safe environment. Some experts recommend bringing in a trusted, vetted and experienced external facilitator who can provide new insights. An external facilitator may also be able to focus this unwieldy exercise more effectively than internal persons.

A hands-on approach to ransomware will identify technical mechanisms and security protocols necessary for a fast-paced threat response. It will also assist staff in evaluating the overall impact of cyber threats and thus shape new operational designs and business continuity planning.

Conducting a ransomware tabletop exercise

Here are several tips pertaining to the execution of a successful ransomware tabletop exercise:

Education and preparation. All participants should understand how and why an organization might encounter a ransomware threat. Participants should also take note of their tabletop exercise roles and familiarize themselves with key terminology ahead of the exercise.

Collaborative environment. An essential, if often overlooked, component of a tabletop exercise involves establishing a safe learning environment. Divergent perspectives should be expected, welcome and heard.

Staff should also arrive with a general, shared understanding of the organizational capabilities, systems and processes in existence, so as to be able to easily apply new learning to organizational operations.

The need to create a collaborative, open and professional atmosphere cannot be overstated. The tabletop exercise facilitator should offer participants guidelines surrounding conduct and should establish the right tone for the exercise.

The scenario. After the facilitator reviews guidelines for the exercise, the scenario should be presented. The ransomware scenario at hand should reflect genuine attack possibilities that could occur in, around and for your organization.

Further, the facilitator should take care to ensure that all participants hear about the attack scenario at the same time and in the same “space” (whether physical, virtual or a hybrid) as to ensure that everyone retains near-identical understandings of the situation.

As the scenario plays out, it is also acceptable for the facilitator to insert unexpected “plot twists” or challenges within the exercise. This helps stretch thinking.

Facilitated discussion. Selecting an external consultant and information security expert as a discussion facilitator can enable organizations to make the most out of exercises. This person can motivate the team, provide guidance, and encourage participants to respond as though it were a real-life event.

Post-tabletop analysis. After the tabletop exercise, it’s important to take the time to reflect on what occurred, to develop a post-exercise report or summary memo, and to ask participants for feedback. In the event that an external individual has facilitated the exercise, this person should take detailed notes and offer a concluding report. Findings can be incorporated into business continuity, disaster recover, and incident response plans. Action items can be discussed among the team.

Additional tips: Ransomware tabletop exercise

Ahead of moving forward with a ransomware tabletop exercise, organizations should identify who needs to participate. Those involved need to represent essential business departments and groups. Participants may include senior leadership, legal department employees, IT personnel, communications coordinators, human resources representatives, and facilities employees. Participation on the part of the CEO is recommended. It helps highlight the organization’s prioritization of cyber security and a strong cyber security posture.

Whether or not stakeholders work-from-home should not factor into decisions about who can or should participate. In this day in age, it’s easy to extend participation opportunities to virtual employees.

Closing thoughts

Tabletop exercises are intended as opportunities for members of a given organization to collectively learn about and improve cyber security. Within the exercise itself, it’s acceptable for participants to pursue unique or creative ideas and participants should also be sure to discuss worst-case scenarios. Your organization cannot address vulnerabilities in the absence of candid exploration of those potential problems.

Consider launching multiple tabletop exercises annually. There are different types of tabletop exercises available for use in the evaluation of cyber security preparedness. Consistently test plans and ensure that employees can effectively execute rapid-fire responses. Update best practices on a quarterly or bi-annual bases to build resilience within your business.

Avoid getting caught flat-footed as a ransomware attack starts to infiltrate your systems. The ransomware tabletop exercise insights in this article can elevate your organization’s level of cyber security maturity and can prevent damaging business consequences.

For more insights into ransomware preparedness, read our ransomware eBook. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.